firestorm.conf.5

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

.TH firestorm.conf 5 "1 April 2002"
.IX firestorm.conf
.SH NAME
firestorm.conf \- Firestorm NIDS sensor configuration file
.sp 0
.SH DESCRIPTION
\fBfirestorm.conf\fP is the configuration file which governs how the
\fBfirestorm-nids(8)\fP NIDS sensor will run. Any line whose first character is
'#' is considered a comment line. Empty lines are ignored.
.sp 1
The file contains entries of the form:
.sp 1
.RS
\fBkeyword <arg 1> <arg 2> ... <arg n>\fP
.RE
.sp 1
Below follows a brief discussion of the usage of each keyword. Your firestorm
package should also include a sample configuration file which provides a good
commentary.
.sp 1
.TP 17
.B firestorm_root
Directory to chdir() to during operation. All other paths are relative to this
one. If ommitted it will default to "/".
.sp 1
.TP 17
.B chroot
This is a boolean value.  If set to "yes" (without the quotes)
\fBfirestorm-nids(8)\fP will chroot to the directory given to it by the
\fBfirestorm_root\fP directive. Note that all files (including plugins) that
firestorm needs access to while running must be inside the chroot directory!
.sp 1
.TP 17
.B effective_gid
If this value is non-zero and \fBfirestorm-nids(8)\fP is started as root,
\fBfirestorm-nids(8)\fP will set its GID to this value. Firestorm will shed its
membership of any other groups. Firestorm will NOT look up a group name so you
must enter the numeric GID.
.sp 1
.TP 17
.B effective_uid
If this value is non-zero and \fBfirestorm-nids(8)\fP is started as root;
\fBfirestorm-nids(8)\fP will set its UID to this value.  Firestorm will NOT look
up a user name so you must enter the numeric UID.
.sp 1
.TP 17
.B load_plugins
The \fBload_plugins\fP directive tells \fBfirestorm-nids(8)\fP where it can find
its plugins. You must specify exactly one directory path as the argument.
\fBFirestorm(8)\fP will not recurse directories.  You may specify multiple
directories by using multiple \fBload_plugins\fP directivesP.
.sp 1
.TP 17
.B load_plugin
The \fBload_plugin\fP directive is similar to the \fBload_plugins\fP directive
except for that it takes a path to a file rather than a directory. The file
should be a valid \fBfirestorm-nids(8)\fP plugin. Firestorm will fail to start
if any of the files specified by this directive do not load successfully.
.sp 1
.TP 17
.B logfile
This directive is perhaps a little bit of a misnomer. It essentially tells
firestorm to daemonise and send all output to a logfile. The single argument is
the path to the logfile. You will nearly always want to set this directive. Note
that the logfile gets overwritten every time firestorm is run
- it is only intended to be a record of what happened last time firestorm was
run for diagnostic purposes.  If you do not set this directive, firestorm will
not daemonize and will output log messages to stdout.
.sp 1
.TP 17
.B capture
This directive specifies where \fBfirestorm-nids(8)\fP should capture network
data from.  The first argument specifies what type of device it is capturing
from and the second argument consists of plugin-specific options such as what
interface to listen on or what file to read from etc...
.sp 1
\fBpcap\fP - Most people will want to capture from the live network with
libpcap.  This plugin has only one option 'if' which is used to specify which
interface to listen on. (eg: if='eth0' or if='any' to listen on all interfaces).
.sp 1
\fBpcapfile\fP - \fBFirestorm(8)\fP can also capture from libpcap files
captured, for example by tcpdump. This plugin also has only one argument 'file'
to specify the filename. (eg: file='./captures/mynetwork.cap').
.sp 1
\fBlinux\fP - \fBFirestorm(8)\fP has the ability to support high-speed OS
specific capture plugins. Use this plugin if you run a recent Linux kernel with
mmap() packet socket support. This plugin takes two options 'if' and 'blocks'
where 'if' is an interface to listen on and blocks is a number specifying how
many blocks to use in the ringbuffer. Generally the higher this number the more
memory is used and the less packets will be dropped - you can look in the
firestorm log output to get an idea of how much memory (in KB) it translates to.
(eg: if='any' blocks=128).
.sp 1
\fBtcpdump\fP - This plugin is a hi-speed alternative to the pcapfile plugin and
doesn't depend on libpcap. This plugin is recommended over and above pcapfile.
It takes the same arguments (eg: file='./myfile.cap').
.sp 1
.TP 17
.B preprocessor
The \fBpreprocessor\fP directive instructs \fBfirestorm-nids(8)\fP to initialise
and use a preprocessor. No preprocessors are executed unless you specify them
here. The first argument to this directive is the name of the preprocessor and
the second (optional) parameter is to pass additional configuration to the
preprocessor itself.
.sp 1
.TP 17
.B output
The \fBoutput\fP directive is used to configure the alert log directory and log
rotation parameters. It requires at least one argument, 'dir' to be set and has
optional parameters for fine tuning log rotation. The arguments are documented
below:
.sp 1
\fBdir\fP - Sets the location of the log spool directory.
.sp 1
\fBsize\fP - Sets the upper bounds on the size of a log file before rotating. Set
to zero to disable filesize based log rotation.
.sp 1
\fBminutes\fP - Sets the maximum size that a logfile can grow to before being
rotated. Set to zero to disable time based log rotation.
.sp 1
\fBstormwall\fP - Must be one of 'none', 'wait' or 'fail'. Tells firestorm how
to notify stormwall of new logfiles becoming available. 'none' disables stormwall
notification, 'wait' tells firestorm to wait for stormwall to start before capturing
packages and 'fail' tells firestorm to immediately fail if stormwall isn't running.
.sp 1
\fBbuf\fP - How large to set the output buffer, in bytes. Set to zero for
maximum reliability. The higher this value, the higher the performance but the
lower the reliability. The reliability hit can be ameliorated by log rotation
size or time limit. Rotated logfiles are *guaranteed* written to disk.
.TP 17
.B signatures
This directive is used to load attack signatures in to \fBfirestorm-nids(8)\fP.
It requres 2 parameters, the first specifies the type of signatures being loaded
(eg: snort) and the second specifies the path to the file. You can load as many
signature files as you need.
.sp 1
.SH SEE ALSO
\fBfirestorm-nids\fP(8)
.sp 1
.SH AUTHOR
Original version by Gianni Tedesco.
.sp 1
Man page by Gianni Tedesco <gianni@scaramanga.co.uk>
.sp 1
Copyright (C) 2002 by Gianni Tedesco <gianni@scaramanga.co.uk>